05669: megadrij [688atsub]: Crash loading save state

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
05669	Crash/Freeze	Critical (emulator)	Always	Aug 11, 2014, 19:01	Oct 16, 2015, 08:04

Tester	Firewave	View Status	Public	Platform
Assigned To		Resolution	Unable to reproduce	OS
Status [?]	Closed			Driver	sega/mdconsole.cpp
Version	0.154	Fixed in Version		Build	Debug
		Fixed in Git Commit		Github Pull Request #

Summary	05669: megadrij [688atsub]: Crash loading save state
Description	Program received signal SIGSEGV, Segmentation fault. 0x0000000004a13fa9 in z80_device::op_dd (this=0x62600008d100) at src/emu/cpu/z80/z80.c:3094 3094 OP(op,dd) { m_r++; EXEC(dd,rop()); } /* **** DD xx */ (gdb) bt #0 0x0000000004a13fa9 in z80_device::op_dd (this=0x62600008d100) at src/emu/cpu/z80/z80.c:3094 #1 0x0000000004a2042a in dd_00 (this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, this=<optimized out>, ---Type <return> to continue, or q <return> to quit--- Looks very much like a stack overflow. Happens running it with "-str 2 -autosave" twice.
Steps To Reproduce
Additional Information
Github Commit

Flags
Regression Version
Affected Sets / Systems	megadrij [688atsub]

Attached Files

No.10932 Tafoid Administrator Aug 17, 2014, 20:42	Unable to duplicate on Windows 32 or 64bit, regular or debug (through GDB)
No.11324 Firewave Senior Tester Dec 25, 2014, 11:36	The problem is m_genz80.z80_prgram being uninitialized in md_base_state::megadriv_init_common(). ==13576== Use of uninitialised value of size 8 ==13576== at 0x229C638: z80_device::execute_run() (z80.c:3521) ==13576== by 0x229D50B: non-virtual thunk to z80_device::execute_run() (z80.c:3523) ==13576== by 0x292E9D8: device_execute_interface::run() (diexec.h:191) ==13576== by 0x292D530: device_scheduler::timeslice() (schedule.c:476) ==13576== by 0x28AB6CC: running_machine::run(bool) (machine.c:391) ==13576== by 0x28A774D: machine_manager::execute() (mame.c:216) ==13576== by 0x27A6BF5: cli_frontend::execute(int, char*) (clifront.c:244) ==13576== by 0x16AD6B8: main (sdlmain.c:343) ==13576== Uninitialised value was created by a heap allocation ==13576== at 0x5406B80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==13576== by 0x2D19D04: osd_malloc_array(unsigned long) (sdlos_unix.c:108) ==13576== by 0x2AF3733: malloc_file_line(unsigned long, char const, int, bool, bool, bool) (corealloc.c:112) ==13576== by 0x1633BAB: md_base_state::megadriv_init_common() (corealloc.h:72) ==13576== by 0x1633F18: md_base_state::init_megadrij() (megadriv.c:1074) ==13576== by 0xEFA66E: md_cons_state::init_md_jpn() (megadriv.c:448) ==13576== by 0xEFEF89: void driver_device::driver_init_wrapper<md_cons_state, &md_cons_state::init_md_jpn>(running_machine&) (driver.h:131) ==13576== by 0x2801ECB: driver_device::device_start() (driver.c:210) ==13576== by 0x27BAA83: device_t::start() (device.c:392) ==13576== by 0x28AAC4E: running_machine::start_all_devices() (machine.c:1099) ==13576== by 0x28AA090: running_machine::start() (machine.c:281) ==13576== by 0x28AB45C: running_machine::run(bool) (machine.c:345) ==13576== by 0x28A774D: machine_manager::execute() (mame.c:216) ==13576== by 0x27A6BF5: cli_frontend::execute(int, char**) (clifront.c:244) ==13576== by 0x16AD6B8: main (sdlmain.c:343)
No.12073 kazblox Tester Oct 16, 2015, 08:04	This may have been fixed a long while ago, but I tried a self compile of 0.166 on Linux with GCC 5 and it doesn't seem to happen anymore.

No.10932

Tafoid

Administrator

Aug 17, 2014, 20:42

Unable to duplicate on Windows 32 or 64bit, regular or debug (through GDB)

No.11324

Firewave

Senior Tester

Dec 25, 2014, 11:36

The problem is m_genz80.z80_prgram being uninitialized in md_base_state::megadriv_init_common().

==13576== Use of uninitialised value of size 8
==13576==    at 0x229C638: z80_device::execute_run() (z80.c:3521)
==13576==    by 0x229D50B: non-virtual thunk to z80_device::execute_run() (z80.c:3523)
==13576==    by 0x292E9D8: device_execute_interface::run() (diexec.h:191)
==13576==    by 0x292D530: device_scheduler::timeslice() (schedule.c:476)
==13576==    by 0x28AB6CC: running_machine::run(bool) (machine.c:391)
==13576==    by 0x28A774D: machine_manager::execute() (mame.c:216)
==13576==    by 0x27A6BF5: cli_frontend::execute(int, char**) (clifront.c:244)
==13576==    by 0x16AD6B8: main (sdlmain.c:343)
==13576==  Uninitialised value was created by a heap allocation
==13576==    at 0x5406B80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13576==    by 0x2D19D04: osd_malloc_array(unsigned long) (sdlos_unix.c:108)
==13576==    by 0x2AF3733: malloc_file_line(unsigned long, char const*, int, bool, bool, bool) (corealloc.c:112)
==13576==    by 0x1633BAB: md_base_state::megadriv_init_common() (corealloc.h:72)
==13576==    by 0x1633F18: md_base_state::init_megadrij() (megadriv.c:1074)
==13576==    by 0xEFA66E: md_cons_state::init_md_jpn() (megadriv.c:448)
==13576==    by 0xEFEF89: void driver_device::driver_init_wrapper<md_cons_state, &md_cons_state::init_md_jpn>(running_machine&) (driver.h:131)
==13576==    by 0x2801ECB: driver_device::device_start() (driver.c:210)
==13576==    by 0x27BAA83: device_t::start() (device.c:392)
==13576==    by 0x28AAC4E: running_machine::start_all_devices() (machine.c:1099)
==13576==    by 0x28AA090: running_machine::start() (machine.c:281)
==13576==    by 0x28AB45C: running_machine::run(bool) (machine.c:345)
==13576==    by 0x28A774D: machine_manager::execute() (mame.c:216)
==13576==    by 0x27A6BF5: cli_frontend::execute(int, char**) (clifront.c:244)
==13576==    by 0x16AD6B8: main (sdlmain.c:343)

No.12073

kazblox

Tester

Oct 16, 2015, 08:04

This may have been fixed a long while ago, but I tried a self compile of 0.166 on Linux with GCC 5 and it doesn't seem to happen anymore.